Pages

Tuesday, March 19, 2013

5 signs you've been hit with an advanced persistent threat

5 signs you've been hit with an advanced persistent threat

By Roger A. Grimes

Created 2012-10-16 03:00AM

window.cmcb["idge-11477211092_1363747370"]();

Hackers who employ APTs (advanced persistent threats)[1] are a different breed. A real and constant threat to the world's companies and networks, APT hackers tend to be well organized, working together as part of a professional team. Their goal, typically, is to steal valuable intellectual property, such as confidential project descriptions, contracts, and patent information.

Generally, APT hackers employ familiar methods, using phishing emails or other tricks to fool users into downloading malware. But the ultimate objective tends to be very ambitious. If you discover a break-in where the only apparent intent was to steal money from your company, then it probably wasn't an APT hack. Those who deal in APTs are trying to be your company.

Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past decade, I've discovered the following five signs are most likely to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.

APT sign No. 1: Increase in elevated log-ons late at nightAPTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons while the legitimate work crew is at home, start to worry.

APT sign No. 2: Finding widespread backdoor TrojansAPT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials get changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.

These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment -- and they proliferate in APT attacks.

APT sign No. 3: Unexpected information flowsIf I could pick the single best way to detect APT activities, this would be it: Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.

Those data flows may also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.

Of course, in order to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.

APT sign No. 4: Discovering unexpected data bundlesAPTs often aggregate stolen data to internal collection points before moving it outside. Look for large (we're talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.

APT sign No. 5: Detecting pass-the-hash hacking toolsAlthough APTs don't always use pass-the-hash attack[5] tools, they frequently pop up. Strangely, after using them, hackers often forget to delete them. If you find pass-the-hash attack[5] tools hanging around, it's OK to panic a little or at least consider them as evidence that should be investigated further.

If I had to think of a sixth indicator -- there's no charge for this one -- it would be focused spear-phishing campaigns against a company's employees using malformed Adobe Acrobat PDF files. This is the original causative agent in the vast majority of APT attacks. I didn't include it in the original five signs above because Adobe Acrobat is exploited[6] all over the place. But if you hear of a focused spear-phishing attack, especially if a few executives have reported being duped[7] into clicking on an attached PDF file, start looking for the other five signs and symptoms. It may be your canary in the coal mine.

That said, I hope you never have to face cleaning up from an APT attack. It's one of the hardest things you and your enterprise can do. Prevention[8] and early detection will reduce your suffering.